Merge branch 'main' into backup/mc/new-config-2

Author: Moritz Clasmeier

internal/deployer/deploy_via_operator.go

@@ -118,7 +118,8 @@ func (d *Deployer) ensureOperatorDeployed(ctx context.Context) error {
 func (d *Deployer) deployCentralOperator(ctx context.Context) error {
 	d.logger.Info("🚀 Deploying Central via Operator...")
 
-	if err := d.prepareNamespace(ctx, d.config.Central.Namespace); err != nil {
+	needPullSecrets := env.GetCurrentClusterType() != types.ClusterTypeInfraOpenShift4
+	if err := d.prepareNamespace(ctx, d.config.Central.Namespace, needPullSecrets); err != nil {
 		return fmt.Errorf("failed to prepare namespace: %w", err)
 	}
 
@@ -190,14 +191,14 @@ func (d *Deployer) getDeployedOperatorImage(ctx context.Context) (string, error)
 }
 
 // prepareNamespace creates pull secrets in the namespace if needed
-func (d *Deployer) prepareNamespace(ctx context.Context, namespace string) error {
+func (d *Deployer) prepareNamespace(ctx context.Context, namespace string, needPullSecrets bool) error {
 	d.logger.Infof("Preparing namespace %s", namespace)
 
 	if err := d.ensureNamespaceExists(namespace); err != nil {
 		return err
 	}
 
-	if env.GetCurrentClusterType() != types.ClusterTypeInfraOpenShift4 {
+	if needPullSecrets {
 		if err := d.ensurePullSecretExists(ctx, namespace); err != nil {
 			return fmt.Errorf("ensuring image pull secret exists: %w", err)
 		}
@@ -207,9 +208,11 @@ func (d *Deployer) prepareNamespace(ctx context.Context, namespace string) error
 }
 
 func (d *Deployer) ensurePullSecretExists(ctx context.Context, namespace string) error {
-	// Assemble pull secret YAML from pre-verified credentials
-	pullSecretYAML := d.dockerAuth.CreatePullSecretYAMLFromCredentials(d.dockerCreds, namespace)
+	if d.dockerCreds == nil {
+		return errors.New("no pull secrets available to set up on the cluster")
+	}
 
+	pullSecretYAML := d.dockerAuth.CreatePullSecretYAMLFromCredentials(*d.dockerCreds, namespace)
 	_, err := d.runKubectl(ctx, k8s.KubectlOptions{
 		Args:  []string{"apply", "-f", "-"},
 		Stdin: strings.NewReader(pullSecretYAML),
@@ -584,7 +587,8 @@ func (d *Deployer) configureCentralEndpoint(ctx context.Context) error {
 func (d *Deployer) deploySecuredClusterOperator(ctx context.Context) error {
 	d.logger.Info("🚀 Deploying SecuredCluster via Operator...")
 
-	if err := d.prepareNamespace(ctx, d.config.SecuredCluster.Namespace); err != nil {
+	needPullSecrets := env.GetCurrentClusterType() != types.ClusterTypeInfraOpenShift4
+	if err := d.prepareNamespace(ctx, d.config.SecuredCluster.Namespace, needPullSecrets); err != nil {
 		return fmt.Errorf("failed to prepare namespace: %w", err)
 	}
 

internal/deployer/deployer.go

@@ -51,12 +51,13 @@ type Deployer struct {
 	config Config
 
 	// State
-	centralEndpoint string
-	centralPassword string
-	roxCACertFile   string
-	tempDir         string
-	portForward     *portforward.Manager
-	portForwardPID  int
+	centralEndpoint        string
+	centralPassword        string
+	roxCACertFile          string
+	tempDir                string
+	portForward            *portforward.Manager
+	portForwardPID         int
+	useOperatorPullSecrets bool
 }
 
 type ResourceToDelete struct {
@@ -124,6 +125,7 @@ func (d *Deployer) deleteCentralResources(ctx context.Context) error {
 		{Name: "central-db-backup", Kind: "pvc"},
 		{Name: "admin-password", Kind: "secret"},
 		{Name: "scanner-db-password", Kind: "secret", OwnerName: centralCrName},
+		{Name: "stackrox-central-helm", Kind: "configmap"},
 	} {
 		d.logger.Dimf("Attempting to delete %s/%s", resource.Kind, resource.Name)
 		if resource.OwnerName != "" {

internal/deployer/operator.go

@@ -17,6 +17,7 @@ import (
 	"github.com/stackrox/roxie/internal/env"
 	"github.com/stackrox/roxie/internal/k8s"
 	"github.com/stackrox/roxie/internal/ocihelper"
+	"github.com/stackrox/roxie/internal/types"
 )
 
 const (
@@ -319,12 +320,14 @@ func (d *Deployer) deployOperatorFromCSV(ctx context.Context, bundleDir string)
 	}
 
 	serviceAccountName := deploymentSpec["service_account"].(string)
+	d.useOperatorPullSecrets = d.config.Roxie.KonfluxImages && env.GetCurrentClusterType() != types.ClusterTypeInfraOpenShift4
 
 	d.logger.Info("📋 Operator deployment plan:")
 	d.logger.Dim(fmt.Sprintf("  • Namespace: %s", operatorNamespace))
 	d.logger.Dim(fmt.Sprintf("  • ServiceAccount: %s", serviceAccountName))
+	d.logger.Dim(fmt.Sprintf("  • Setting up pull secrets: %v", d.useOperatorPullSecrets))
 
-	if err := d.createOperatorNamespace(ctx); err != nil {
+	if err := d.prepareNamespace(ctx, operatorNamespace, d.useOperatorPullSecrets); err != nil {
 		return err
 	}
 
@@ -392,24 +395,6 @@ func (d *Deployer) parseCSVDeploymentSpec(csvFile string) (map[string]interface{
 	return deploymentSpec, nil
 }
 
-// createOperatorNamespace creates the operator namespace
-func (d *Deployer) createOperatorNamespace(ctx context.Context) error {
-	nsYAML := fmt.Sprintf(`apiVersion: v1
-kind: Namespace
-metadata:
-  name: %s
-  labels:
-    name: %s
-    app.kubernetes.io/managed-by: roxie
-`, operatorNamespace, operatorNamespace)
-
-	_, err := d.runKubectl(ctx, k8s.KubectlOptions{
-		Args:  []string{"apply", "-f", "-"},
-		Stdin: strings.NewReader(nsYAML),
-	})
-	return err
-}
-
 // createServiceAccount creates a service account
 func (d *Deployer) createServiceAccount(ctx context.Context, namespace, name string) error {
 	sa := map[string]interface{}{
@@ -422,6 +407,12 @@ func (d *Deployer) createServiceAccount(ctx context.Context, namespace, name str
 		},
 	}
 
+	if d.useOperatorPullSecrets {
+		sa["imagePullSecrets"] = []map[string]string{
+			{"name": "stackrox"},
+		}
+	}
+
 	yamlData, err := yaml.Marshal(sa)
 	if err != nil {
 		return fmt.Errorf("failed to marshal ServiceAccount '%s/%s': %w", namespace, name, err)

internal/deployer/operator_olm.go

@@ -40,7 +40,7 @@ func (d *Deployer) deployOperatorViaOLM(ctx context.Context) error {
 	indexImage := d.getOperatorIndexImage()
 	d.logger.Infof("Index image: %s", indexImage)
 
-	if err := d.createOperatorNamespace(ctx); err != nil {
+	if err := d.prepareNamespace(ctx, operatorNamespace, false); err != nil {
 		return err
 	}
 

internal/dockerauth/dockerauth.go

@@ -216,7 +216,7 @@ func (d *DockerAuth) VerifyCredentials(username, password string) error {
 }
 
 // CreatePullSecretYAMLFromCredentials creates Kubernetes pull secret YAML from verified credentials.
-func (d *DockerAuth) CreatePullSecretYAMLFromCredentials(creds *Credentials, namespace string) string {
+func (d *DockerAuth) CreatePullSecretYAMLFromCredentials(creds Credentials, namespace string) string {
 	// Create auth string
 	authString := fmt.Sprintf("%s:%s", creds.Username, creds.Password)
 	encodedAuth := base64.StdEncoding.EncodeToString([]byte(authString))

internal/dockerauth/dockerauth_test.go

@@ -31,7 +31,7 @@ func TestGetAndVerifyCredentialsFromEnv(t *testing.T) {
 	}
 
 	// Test creating YAML from credentials
-	yamlText := da.CreatePullSecretYAMLFromCredentials(creds, "ns")
+	yamlText := da.CreatePullSecretYAMLFromCredentials(*creds, "ns")
 
 	// Verify YAML structure
 	if !strings.Contains(yamlText, "apiVersion: v1") {